Re: Drilling through firewalls

I'm looking for ideas on ways to subvert firewalls for
short messages. I.e., passing what *appears* to be
*legitimate* traffic through a (properly configured)
firewall that is, in fact, *not* acting in the "apparent"
purpose. In particular, I'm interested in some of the
"less obvious" ways of doing so.

I'm concerned with "classic" firewalls, here (e.g.,
running on a bastion host) -- not the MS variety
(the idea of running a firewall on a desktop machine
seems *too* funny! :> )

To establish any communication, at least one computer outside must have
open server port. Clients could connect to it and communicate to each
other through whatever outbound connections allowed by firewall. There
is no problem to encapsulate your data into http or any other common
protocol.

The problem lies in my expectation of a "(properly configured)"
firewall.

A good security officer will look at *each* node on his network
and configure the firewall to allow the *minimum* connectivity
REQUIRED by the device in question. Then, write rules to
restrict the traffic between that node and the outside world
to *exactly* that level -- nothing more.

If, for example, the device in question is a laptop, then the
MAC/IP associated witht he laptop will probably have very
permissive rules regarding what it can and can't talk to on
the outside.

OTOH, if the device in question is a temperature sensor (recall
this is c.a.e), chances are it *won't* be allowed to access
websites, send email, etc. directly with the outside world! :>
Likewise, the outside world will be "hindered" from accessing
that device as well (no doubt, this example would have the
device "not routed"... but, with some thought, you can come
up with a device that *will* be routed -- though with limits
placed on its connectivity).

So, the task is to come up with "non-obvious" (see my post)
ways of drilling through the firewall's rule set.

Before the days of switches, this would have been easier
as network/peer discovery was almost "free". But, now the
switch limits just what traffic you see and, thus, how much
you can glean about the rest of the network (and the traffic
that the firewall is allowing for those *other* nodes)
.